[fix] attribute escaping during ssr (#7333)

Fixes #7327 and a related security issue

src/runtime/internal/ssr.ts

@@ -177,7 +177,8 @@ export function create_ssr_component(fn) {
 
 export function add_attribute(name, value, boolean) {
 	if (value == null || (boolean && !value)) return '';
-	return ` ${name}${value === true && boolean_attributes.has(name) ? '' : `=${typeof value === 'string' ? JSON.stringify(escape(value)) : `"${value}"`}`}`;
+	const assignment = (boolean && value === true) ? '' : `="${escape_attribute_value(value.toString())}"`;
+	return ` ${name}${assignment}`;
 }
 
 export function add_classes(classes) {

test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html

@@ -1,3 +1,4 @@
 <div
-	foo="&#34;></div><script>alert(42)</script>"
+	foo="&#34;></div>\<script>alert(42)</script>"
+	bar="&#34;></div>\<script>alert(42)</script>"
 ></div>

test/server-side-rendering/samples/attribute-escaped-quotes/main.svelte

@@ -1,5 +1,6 @@
 <script>
-	export let foo = '"></div><script>alert(42)</' + 'script>';
+	export let foo = '"></div>\\<script>alert(42)</' + 'script>';
+	export let bar = { toString: () => '"></div>\\<script>alert(42)<\/script>' };
 </script>
 
-<div foo={foo}></div>
+<div foo={foo} bar={bar}></div>